On March 11, 2020, the California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications include important updates to the first round of modifications that were released on February 10, 2020. We have summarized the notable changes below.

Interested parties may submit written comments to the Office of the Attorney General regarding the proposed changes by 5:00 pm Pacific on March 27, 2020.

Definition of “personal information” – clarification removed

The modified regulations delete the previously added explanation that determining whether information is “personal information” under the CCPA means evaluating whether it is reasonably capable of being associated with, or reasonably linked to, a consumer or household. The deletion eliminates an example stating that personal information may not include IP addresses in certain circumstances.

Notice at collection – not required when collecting personal information from a third-party source

The modified regulations clarify that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer, as long as the business does not sell the consumer’s personal information. This exemption applies regardless of whether the business registers as a data broker with the California Attorney General.

Opt-out button/logo specifications removed

The modified regulations delete in their entirety specifications for the appearance and use of a button/logo to be used to promote awareness of the right to opt out of sales of personal information.

Privacy policies

Must explain procedures for confirming identities of parents/guardians that submit CCPA requests

The modified regulations require businesses that sell minors’ personal information to describe in their privacy policies their procedures for determining whether an individual submitting a CCPA request on behalf of a minor is the parent or guardian of the minor.

Must identify sources of personal information and business or commercial purpose for collecting or selling information

The modified regulations reinsert a previously deleted requirement that privacy policies must identify the categories of sources from which personal information is collected and identify the business or commercial purpose for collecting or selling information.

Verifying consumer requests – fee prohibition extended to authorized agent requests

The modified regulations clarify that the prohibition on charging consumers to verify their CCPA request extends to requests made by authorized agents.

Sensitive data – must disclose collection

The modified regulations provide that, while a business must not furnish the following sensitive data in response to a request to know, the business must inform the consumer whether the business has collected this data: Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data.

Service provider data use – permitted use narrowed

The modified regulations clarify that a service provider’s use of personal information pursuant to a contract must be (1) performed on behalf of the business that provided or directed the collection of the personal information and (2) in compliance with the contract. The change implies that, even where a service provider has a contractual mandate from the business to use personal information in a certain way (e.g., to sell it), the use may not be permissible if not undertaken on behalf of the business.

In addition, the modified regulations provide that a service provider may use personal information obtained on behalf of a business to build or improve its services only so long as use does not include building or modifying household or consumer profiles for use in providing services to another business.

Recordkeeping requirements for large-scale data processors

The modified regulations clarify that the obligation to disclose metrics regarding CCPA request activity (i.e., number of requests received, complied with and denied; median days to substantively respond) applies to businesses that know or reasonably should know that they process personal information of 10 million or more consumers in a calendar year.


Adam Connolly

Katy Linsky

Posted by Cooley